User Behavior monitoring

Service account on a non-service related system = Alert

• Unusual process by user

  • Start with Application Control

  • Machine learning can profile Powershell.exe use at startup vs a manual launch

• Unusual process by time

• New Login Locations

• Unusual Login Time

  • Separate by user group. Sys admins log in a crazy times. Accountants do not.

• Account/DNS Enumeration

  • Insider recon is done with native authorized tools

  • Can be locked down by security group

  • Can be profiled with machine learning

  • Most can be caught without machine learning

  • https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

• Directory service lookups

• Unusual protocol use

• Account Sharing

  • Number of workstations logged into by user within time frame

  • login within 1 minute of process creation or login event on a different system

  • user logged in externally as well as internally

• Improper use of Privileged User Account

  • Domain admin account logging into a regular workstation = Alert

Brute force logins do not require behavioral analysis. It is either evil or misconfigured. Either way, it needs a ticket. 50 failed logons in a minute.

Compromised accounts are likely to generate more denied access logs. Least privilege helps make this easy to spot.

Look at using a controlled jumped box for all domain admin logins. Makes it easy to track sessions and look for any logins not from the Jump Box.